PREPARATION FOR COMPLIANCE & CERTIFICATION

Service Summary

Build Business Confidence

Our practice provides IT compliance readiness services to align business systems and operations with information security standards like ISO 27001, SOC2, PCI DSS, SOX and others. Standards compliance readiness is aimed at helping businesses in the development and implementation of effective IT policies, procedures and business process controls for quality business conduct and a secure information processing environment.

Clients Cases

A large scale analytics company for the UK insurance market, that provides data analytics, market trends, customer surveys, product research and other statistical information for their clients.

Project Requirements:

The client wanted to become ISO27001 compliant and required the corresponding policies, procedures and internal control environment to be implemented for their business operations.

The client gained compliance and was able to provide business assurance to trading partners thus growing its partnerships and client base.

A large scale analytics company for the UK insurance market, that provides data analytics, market trends, customer surveys, product research and other statistical information for their clients.

Project Requirements:

The client requested a business wide asset evaluation and risk assessment as part of the ISMS integration project.

Our Service:

We created an asset register with asset values in term of security, availability and confidentiality for all business assets and then made a risk matrix for their vulnerabilities, impacts and probability of occurrence providing a complete risk management tool for the business.

Value Added:

The client gained insight into the high risk areas of their processing environment and a tool through which they can monitor, update and evaluate their business risks.

Process Description

Our compliance readiness service includes a business wide asset enumeration and evaluation in terms of confidentiality, integrity and availability followed by a threat and impact analysis. The risk assessment is then evaluated based on the vulnerabilities and business impact over each company asset and presented in a quantitative manner that the management can acknowledge and control.

The risk assessment of any business consists of the following steps:

Asset Evaluation - Each physical and digital asset of the company is assigned a value for its confidentiality, integrity and availability. A general range of 1-3 is used where 1-Low, 2-Medium and 3-High for each of the 3 areas of security. This gives each asset a value of 3-9 depending on its value to the business.

Vulnerability Assessment - The vulnerability rating is defined for each asset using various network and vulnerability scanners that allow us to determine the vulnerabilities in the network protocols, systems and applications in use. This assessment is done both from external and internal perspective to cover the various attack scenarios.

Impact & Probability - Following simulation scenarios for the various threats on each of the assets, an impact rating is assigned showing the severity of the effects on the business. The probability rating can be based on the statistical business history and future market trends and predictions.

Risk - Through a quantitative risk based approach we can now calculate the risk value for each of the business assets. This is done by defining risk as:

Once the risks have been calculated, the company has to define an acceptable risk value and see where controls / mitigation procedures are needed to reduce the risk to acceptable levels across the board. This risk assessment process is a long, in-depth analysis that takes around 2 months for an average sized organization. The deliverables include a complete asset register, vulnerability assessment report and a business-wide risk assessment matrix.

After completing the risk assessment it is important to implement quality policies and procedures for a controlled business environment. The policies and procedures are the design of security controls in an organization and are much more important than they seem at first glance. The simplest way to create quality policies and procedures is to take an ISO 27001 Information Security Policy template and perform a gap analysis of which controls are currently operational in the business and which have to be designed and implemented.

The policy has to cover the 11 areas defined in the ISO27001 standard and to address the supporting business controls and procedures for a secure business processing:

Security Policy

Organization of information security

Asset Management

Human resources security

Physical and Environmental Security

Communications and Operations Management

Access Control

Information systems acquisition, development and maintenance

Information security incident management

Business Continuity Management

Compliance

Following the gap analysis, formal information security policy and procedures should be documented and accepted by the organization. Security awareness training is often carried out informing all employees of the new regulations and organizational changes.

Compliance with the policies has to be monitored at all times and the controls should be regularly amended to cover any newly spotted risks.

It is important to realize that security is a process and not a product so the Plan - Do - Check - Act (PDCA) model has to always be incorporated in the business environment with regular security auditing, vulnerability assessments, updating/patching of the IT systems and updating of the supporting policies and procedures.

Contacts

NetSafety is a global information security consulting firm with a head office base in Sofia, Bulgaria and partner offices in Johannesburg, South Africa. Many successful projects across Europe, UK, Africa and Australia provide a proven professional track record and guarantee the high quality of our services.